HHS Releases Healthcare Ransomware, HIPAA Guidance

HHS Releases Healthcare Ransomware, HIPAA Guidance

In light of recent healthcare ransomware attacks, HHS created a fact sheet to help covered entities keep ePHI secure and follow HIPAA regulations.

Conducting a risk analysis, regular user training, and maintaining an overall contingency plan are just a few of the recommendations from the Department of Health and Human Services (HHS) in its recent healthcare ransomware and HIPAA guidance.

The new guidance is meant to help covered entities and business associates reinforce their adherence to HIPAA regulations, and also better prevent, detect, contain, and respond to threats.

Electronic data being compromised through cybersecurity threats, including ransomware, is one of the biggest current threats to the industry, Office for Civil Rights Director Jocelyn Samuels explained in a blog post.

“Organizations need to take steps to safeguard their data from ransomware attacks,” Samuels wrote. “HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.”

The HHS guidance reminds healthcare organizations that there are aspects of HIPAA compliance that could be greatly beneficial in preventing healthcare ransomware attacks, as well as being able to recover from them.

For example, the HIPAA Security Rule requires that procedures designed to guard against and detect malicious software be implemented. Moreover, covered entities need to implement access controls to limit epHI access, so only necessary individuals or software programs require access.

HHS added that the Security Rule has minimum requirements, but that healthcare organizations are permitted and encouraged to implement more security measures as deemed necessary to protect ePHI:

The Security Management Process standard of the Security Rule includes requirements for all covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI the entities create, receive, maintain, or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level.

In terms of recovering from a potential healthcare ransomware attack, HHS stated that implementing a data backup plan is not only required under HIPAA rules, but will help in the wake of an attack.

“During the course of responding to a ransomware attack, an entity may find it necessary to activate its contingency or business continuity plans,” reads the guidance. “Once activated, an entity will be able to continue its business operations while continuing to respond to and recover from a ransomware attack.”

HHS also discussed the issue of whether or not a healthcare ransomware attack should be considered a HIPAA data breach. HIPAA rules state that, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI” is a data breach.

Therefore, if ePHI is encrypted through a ransomware attack, then a breach has occurred because unauthorized individuals have taken control of the information.

“Unless the covered entity or business associate can demonstrate that there is a ‘…low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred,” HHS said.

From there, the covered entity or business associate must adhere to the HIPAA breach notification requirements.

However, HHS noted that if the ePHI was properly encrypted before the data security incident took place, then it is not considered “unsecured PHI” and “the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.”

Each situation will be different though, and HHS stated that even if data is encrypted, further analysis may need to be completed to determine that the PHI has in fact been rendered “unreadable, unusable, and indecipherable” to unauthorized individuals.